Remote control of secure installations

ABSTRACT

Communication apparatus includes a one-way, hardware-actuated data relay, which includes a first hardware interface configured to receive a command from a communications network and a second hardware interface configured to convey the received command to a protected destination when the relay is actuated. A decoder includes a third hardware interface configured to receive a digital signature for the command from the communications network and hardware decoding logic coupled to verify the digital signature and to actuate the relay upon verifying the digital signature, whereby the command is conveyed via the second hardware interface to the protected destination.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.13/604,677, filed Sep. 6, 2012.

FIELD OF THE INVENTION

The present invention relates generally to digital communications andcontrol, and particularly to systems and methods for securecommunications.

BACKGROUND

In a computer network handling sensitive data, portions of the networkmay be connected by one-way data links. The term “one-way link” is usedin the context of the present patent application and in the claims torefer to a communication link that is physically configured to carrysignals in one direction and to be incapable of carrying signals in theopposite direction. One-way links may be implemented, for example, usingWaterfall® systems, which are manufactured by Waterfall SecuritySolutions, Ltd. (Rosh HaAyin, Israel). The Waterfall system provides aphysical one-way connection based on fiberoptic communication, using anunderlying proprietary transfer protocol. When a transmitting computeris connected by a Waterfall system (or other one-way link) to areceiving computer, the receiving computer can receive data from thetransmitting computer but has no physical means of sending any returncommunications to the transmitting computer.

One-way links may be used to prevent data either from entering orleaving a protected facility. For example, confidential data that mustnot be accessed from external sites may be stored on a computer that isconfigured to receive data over a one-way link and has no physicaloutgoing link over which data might be transmitted to an external site.On the other hand, in some applications, the operator of the protectedfacility may be prepared to allow data to exit the facility freely via aone-way link, while preventing data from entering the facility in orderto thwart hackers and cyber-terrorists.

In this latter category, for example, U.S. Pat. No. 7,649,452, whosedisclosure is incorporated herein by reference, describes protection ofcontrol networks using a one-way link. As described in this patent, amethod for monitoring a process includes receiving a signal from asensor that is indicative of a physical attribute associated with theprocess and transmitting data indicative of the received signal over aone-way link. The transmitted data received from the one way link areused in monitoring the process. The method is described in the patentparticularly in the context of Supervisory Control And Data Acquisition(SCADA) systems. A SCADA system receives monitoring data from themonitored facility via a one-way link. The SCADA system is unable totransmit any sort of data back to the monitored facility (although aseparate, open-loop connection may be provided for this purpose), andtherefore cannot be used as the base for an attack on the facility.

SUMMARY

Embodiments of the present invention that are described hereinbelowprovide apparatus and methods for automatically controlling inputs to aprotected destination.

There is therefore provided, in accordance with an embodiment of thepresent invention, communication apparatus, including a one-way,hardware-actuated data relay, which includes a first hardware interfaceconfigured to receive a command from a communications network and asecond hardware interface configured to convey the received command to aprotected destination when the relay is actuated. A decoder includes athird hardware interface configured to receive a digital signature forthe command from the communications network and hardware decoding logiccoupled to verify the digital signature and to actuate the relay uponverifying the digital signature, whereby the command is conveyed via thesecond hardware interface to the protected destination.

In one embodiment, the apparatus includes a one-way link, which isseparate from and independent of the one-way relay and is configured toconvey output data from the protected destination to the communicationsnetwork but is physically incapable of conveying input data from thecommunications network to the protected destination.

In a disclosed embodiment, the protected destination is a utilitycontrol station, and the command is configured to control an operatingconfiguration of the station.

In some embodiments, the apparatus includes a transmission station,which includes hardware encoding logic, which is configured to generatethe digital signature for the command so as to identify a source of thecommand. A communications processor is configured to transmit thedigital signature over the network to the third hardware interface, andto send the command over the network from the source of the command tothe first hardware interface. The hardware encoding logic may becontained in a user authentication unit, which is configured toauthenticate an identity of a user of the transmission station beforegenerating the digital signature.

In a disclosed embodiment, the apparatus includes hardware logic, whichis coupled between the first and second hardware interfaces so as toreceive the command from the first interface, to compare the receivedcommand to a set of hardware masks corresponding to permitted commands,and to pass the received command to the second interface only when thereceived command matches one of the masks.

There is also provided, in accordance with an embodiment of the presentinvention, communication apparatus, including a first hardware interfaceconfigured to receive a command from a communications network and asecond hardware interface configured to convey the received command to aprotected destination. Hardware logic is coupled between the first andsecond interfaces so as to receive the command from the first interface,to compare the received command to a set of hardware masks correspondingto permitted commands, and to pass the received command to the secondinterface only when the received command matches one of the masks.

In a disclosed embodiment, the permitted commands have a predefined dataformat such that each permitted command consists of a name and apermitted value associated with the name. In one embodiment, theprotected destination is a utility control station, and the apparatusincludes a monitor, which is coupled to receive the received commandfrom the second interface and to decode the received command from thepredefined data format to an inter-control center communicationsprotocol for input to the utility control station. The apparatus mayinclude a transmission station, which is configured to receive an inputin accordance with the inter-control center communications protocol froma command source and to encode the input in accordance with thepredefined data format for transmission over the network to the firstinterface.

There is additionally provided, in accordance with an embodiment of thepresent invention, a method for communication, which includes coupling aone-way, hardware-actuated relay to receive a command from acommunications network and to convey the received command to a protecteddestination when the relay is actuated. A digital signature is receivedfrom the communications network and is verified using hardware decodinglogic. Upon verifying the digital signature, the relay is actuated,whereby the command is conveyed to the protected destination.

There is further provided, in accordance with an embodiment of thepresent invention, a method for communication, which includes receivinga command directed to a protected destination from a communicationsnetwork. The received command is compared to a set of hardware maskscorresponding to permitted commands. The received command is passed tothe protected destination only when the received command matches one ofthe hardware masks.

The present invention will be more fully understood from the followingdetailed description of the embodiments thereof, taken together with thedrawings in which:

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram that schematically illustrates a system forsecure monitoring and control, in accordance with an embodiment of thepresent invention;

FIG. 2 is a block diagram that schematically shows functional elementsof a system for secure control of a protected destination, in accordancewith an embodiment of the present invention;

FIG. 3 is a block diagram that schematically shows functional elementsof a system for secure control of a protected destination, in accordancewith another embodiment of the present invention;

FIG. 4 is a block diagram showing details of a secure uplink controller,in accordance with an embodiment of the present invention; and

FIG. 5 is a block diagram that schematically illustrates a secureproxy-based communication system, in accordance with an embodiment ofthe present invention.

DETAILED DESCRIPTION OF EMBODIMENTS

Unlike conventional firewalls, one-way links permit information to leavea protected facility without risk to the safety or availability of thenetwork in the facility due to attacks originating on an externalnetwork. In practice, however, there is sometimes a need to transmit atleast small amounts of information from an external network back intothe protected facility.

There are a number of risks associated with such communications. Onerisk is that if malware has somehow been introduced into the protectednetwork (possibly by insider collaboration), communications back intothe protected network could be used to trigger an attack. For example,the malware could cause a computer in the facility to recognize acertain string communicated back into the protected network as a commandto initiate some harmful action. Another risk is that an attacker mightuse the communications channel into the facility to cause unsafe orunreliable conditions in the protected network, by means of a bufferoverflow attack, for instance. Such an attack could then be used tointroduce remote control malware into the protected network, and providean attacker with the means to interactively explore and sabotage theprotected network.

Embodiments of the present invention that are described hereinbelowaddress these risks by permitting a controlled flow of small amounts ofinformation into a protected network. The flow is automaticallycontrolled so that software-based attacks on protected equipment becomedifficult or impossible to carry out, even if parts of the command andcommunications system themselves become compromised. In contrast toconventional firewalls, the control is carried out by hardware logic,rather than software. Consequently, remote attackers are unable tochange the operating configuration of the protection logic or to causeit to perform any function other than those initially programmed by thelogic designer. In the disclosed embodiments, the hardware logic isconfigured to control the format and content of commands that can besent to a protected destination. The hardware logic may alsoauthenticate these commands to ensure they were produced by anauthorized transmitter. As a result, by compromising an authorizedtransmitter, an attacker may, at worst, be able to send an incorrectcommand to the destination, but will not be able to gain control overthe protected facility.

Some embodiments of the present invention use the concept of a datarelay—hardware that accepts and holds a set of digital input commandsthat are sent from a set of source hardware interfaces and directed todestination computer hardware, network(s) or CPU(s). When the relay istriggered, the inputs are transferred to the outputs of the data relayand so are made available to destination hardware interfaces of thedestination computer hardware, CPU(s) or network(s). An optionalauthentication hardware component, such as a digital signature decoder,can be configured to trigger the data relay when authenticationinformation, such as a digital signature, is found to match the digitalinput commands in the holding area of the data relay. An optionalfiltering hardware component, which may be part of the data relay,allows movement of the commands from the input interfaces to outputinterfaces if and only if the commands match a hardware mask orwhitelist of allowed commands.

As noted earlier, data relays of this sort can be particularly useful inconjunction with one-way links, for example in situations in whichinformation is allowed to flow freely out of a facility via a one-waylink, while the flow of commands into the facility is strictlycontrolled. The principles of such data relays and secure communicationproxies that are described herein, however, are by no means limited tothis sort of operating environment and may be used with or without aone-way link, depending on system and application requirements.

FIG. 1 is a block diagram that schematically illustrates a system 20 forsecure monitoring and control, in accordance with an embodiment of thepresent invention. In this example, system 20 is used to monitor andcontrol an industrial control system in a utility control station 22,such as a transmission and switching station of an electric powerutility. Although for the sake of simplicity, only a single station 22is shown in FIG. 1, in practice utilities generally operate many suchstations. Station 22 typically comprises operational elements, such asswitches 24, which make and break power connections. In many actualsystems, stations 22 are unmanned, and switches 24 are controlledremotely by command transmission stations, such as a control terminal32, for example.

Although the pictured example relates, by way of illustration, to anelectric power utility, the principles of the present invention are notlimited to this particular operating context. Rather, the apparatus andmethods that are described below may be applied to utilities of othertypes (such as gas or water utilities, for instance), as well as inindustrial environments and substantially any other application in whichtight control is to be exercised over commands that may be input to aprotected destination. Station 22 is just one example of such adestination, which is presented here for the sake of clarity ofexplanation. Certain embodiments of the present invention are describedhereinbelow, for the sake of clarity and without limitation, withrespect to the elements of system 20, but the principles of theseembodiments and the techniques that they incorporate may similarly beapplied in other operating environments in which a destination is to beprotected from undesired data input and unauthorized access.

Station 22 is typically designed as a closed, secure facility, protectedphysically against unauthorized entry. A monitor 26 in station 22 inputscommands to switches 24 and monitors the operation of the switches andother components of the station. Typically, monitor comprises multiplesensors and actuators, which are distributed throughout station 22 andreport via a secure internal network to a controller (not shown), asdescribed, for example, in the above-mentioned U.S. Pat. No. 7,649,452.Monitor 26 outputs data collected from the sensors and actuators via aone-way link 28 to a network 30, which conveys the data to terminal 32.Network 30 may comprise any suitable wired or wireless network, or acombination of such networks, including public networks, such as theInternet.

One-way link 28 conveys output data from station 22 to network 30 but isphysically incapable of conveying input data from the network to thestation. For this latter purpose, station 22 comprises an uplinkcontroller 34, which typically has an interface coupled to network 30and another interface to the protected elements of the station. In thisexample, controller 34 inputs commands to monitor 26, which thenactuates switches 24 to carry out the commands. Uplink controller 34comprises hardware logic, which authenticates the commands that areinput to monitor 26 and limits the times, quantities, and/or content ofthese commands, as described further hereinbelow. Monitor 26 receives noinputs from network other than via uplink controller 34, which istypically contained in station 22 and is thus itself protected fromphysical and electrical tampering.

Commands initiated by an operator of terminal 32 (or possibly initiatedautonomously by the terminal itself) are formatted by a processor 36,which typically comprises a general-purpose computer processor runningstandard software. The commands may be formulated in accordance with astandard protocol, such as the inter-control center communicationsprotocol (ICCP), as is known in the art. A secure encoder 38 operates inconjunction with processor 36 so as to transmit inputs to uplinkcontroller 34 in the proper, authenticated form. Typically (although notnecessarily), encoder 38 also comprises hardware logic, to prevent anattacker from mimicking or gaining control over the encoding functions.Even if an attacker does gain control over encoder 38, however, thedamage he or she will be able to do to station 22 will generally belimited to inputting incorrect commands (such as improper settings ofswitches 24), as other commands are blocked by the protective logic inuplink controller 34.

FIG. 2 is a block diagram that schematically shows functional elementsof system 20, in accordance with an embodiment of the present invention.In this embodiment, terminal 32 comprises a command source 40, typicallyin the form of software running on processor 36, which generates acommand input in a conventional format (such as ICCP) or any suitableproprietary format. A hardware encoder 42, which may be embodied inencoder 38, encodes the command input in accordance with a predefineddata format that is supported by uplink controller 34. This formatdefines a syntax of permitted commands, and may specify, for example,that each permitted command consists of a parameter name and a valueassociated with the name. The names and values are selected fromlimited, predefined lists of permitted names and values. Command inputsfrom source 40 that can be expressed in this way are accepted andencoded by encoder 42, whereas commands attempting to invoke otherfunctions within station 22, even if legally composed in theconventional command format, may be rejected. Typically, hardwareencoder 42 is implemented in hard-wired or programmable logic and doesnot include any software-driven components, such as a central processingunit (CPU). The hardware encoder may encode the commands using strongencryption and cryptographic authentication techniques, so that uplinkcontroller 34 can distinguish commands coming from an authentic sourcefrom other commands and attacks.

A communication interface 44 in terminal 32 generates a communicationstream containing the encoded command for transmission over network 30to station. Interface 44 may, for example, establish a secure connection(such as a Transport Layer Security [TLS] encrypted connection, as isknown in the art) with a corresponding communication interface 46 ofuplink controller 34. This sort of conventional data security measureadds a further layer of protection to the operation of the dedicatedhardware logic.

Communication interface 46 passes commands that it receives to hardwaredecoding logic 48, which like encoder 42 typically contains no CPU orother software-driven components. Like encoder 42, decoder 48 may bepart of a larger hardware/software decoder unit 49. Logic 48 mayauthenticate received commands, and accept only authentic commands.Logic 48 decodes accepted commands and compares each such command to aset of predefined hardware masks corresponding to permitted commands(such as permitted couples of names and values, as described above).Commands that match one of the masks are passed through to a commanddestination 50, such as monitor 26. Assuming monitor 26 comprisesstandard components, decoder unit 49 may decode these commands back intoa conventional format, such as ICCP, to which these components areprogrammed to respond. Decoder 48 rejects commands that do not match anyof the predefined hardware masks. As a result, only commands that invokecertain predefined, permitted actions in station 22 will reach monitor26, while malformed or otherwise dangerous commands that could be usedto mount an attack are blocked.

FIG. 3 is a block diagram that schematically shows functional elementsof system 20, in accordance with another embodiment of the presentinvention. This embodiment may be used either together with orindependently of the embodiment of FIG. 2, depending on security needs.In this embodiment, terminal 32 comprises a hardware authentication unit52, which may be comprised (functionally and/or physically) in encoder38. Unit 52 comprises hardware encoding logic, which generates a digitalsignature so as to identify the source of commands. The digitalsignature may be generated, for example, using methods of asymmetricencryption that are known in the art, or using any other suitabletechnique. Processor 36 generates commands to station 22, andcommunication interface 44 transmits these commands together with thedigital signature over network 30 to station 22.

Authentication unit 52 may comprise a plug-in user authentication unit,which generates the digital signature only after authenticating theidentity of the operator of terminal 32 who is inputting the commands.For this purpose, unit 52 may comprise, for example, a secure memorywith a secret key and encryption circuits for generating the digitalsignature, as is known in the art. For enhanced security, unit 52 maycomprise a keypad for input of a password by the user and/or a biometricidentification device, such as a fingerprint reader. Additionally oralternatively, unit 52 may include a timestamp and/or sequence number inthe signatures that it generates in order to foil replay attacks.

Uplink controller 34 has two interfaces to network 30: communicationinterface 46, which receives the digital signatures generated byauthentication unit 52, and an input interface to a one-way,hardware-actuated relay 56, which receives the commands generated byprocessor 36. The two interfaces may be separate physical interfaces orsimply separate ports on a single physical interface. Interface 46passes the digital signatures to a decoder 54, comprising hardwaredecoding logic, which verifies the digital signature. Upon verifyingthat the signature is correct and authentic, decoder 54 actuates relay56, so that the command sent by processor 36 is conveyed through therelay to monitor 26.

In this manner, the command input to monitor 26 is open for only short,controlled periods of time. All transmissions outside these periods(whether from terminal 32 or other sources) are blocked. Because decoder54 and relay 56 are implemented in hardware, which is located inside theprotected environment of station 22, it is essentially impossible tobypass their blocking functionality by means of a software attack. Thetime periods during which relay 56 is actuated may be short (typicallyless than 10 sec, and possibly less than 1 sec, for instance), and theamount of data permitted through each time the relay opens may berestricted to a certain number of bytes. Consequently, even if anattacker is able to gain control of authentication unit 52, his or herability to interact through uplink controller 34 with other elements ofstation 22 will still be very limited. The switching functions ofdecoder 54 and relay 56 may be combined with the masking function of theembodiment of FIG. 2 for still greater security.

FIG. 4 is a block diagram that schematically shows details of uplinkcontroller 34, in accordance with an embodiment of the presentinvention. In this implementation, the uplink controller comprises anopen portion 60 and a secure, tamper-proof portion 62. Communicationinterface 46, which comprises a suitable hardware component such as anEthernet interface, receives and passes incoming data packets fromnetwork 30 to an external (unsecured) microcontroller 64, such as anARM9 processing unit with a memory 66 for initial processing.Microcontroller 64 passes the digital signatures via a one-way link 68to hardware decoding logic 54. Logic 54 may comprise a gate array orASIC chip, which is programmed to decode and verify the digitalsignatures using keys and other secret data stored in a secure memory70.

Upon successfully verifying an incoming digital signature, logic 54signals a secure, internal microcontroller 72, which may similarlycomprise an ARM9 processing unit with a memory 74. Microcontroller 72instructs relay control logic 56 to open a one-way data relay from aninput interface 76, which is connected to network 30, to an outputinterface 78, which is connected to monitor 26. Like interface 46,interfaces 76 and 78 comprise suitable hardware components, such asEthernet interfaces, although other communication standards maysimilarly be supported.

FIG. 5 is a block diagram that schematically illustrates a secureproxy-based communication system 80, in accordance with anotherembodiment of the present invention. In this example, secure ICCPproxies 86 and 88 support a peer-to-peer, secure communications sessionbetween an Energy Management System (EMS) 82 in a control center and aDistributed Control System (DCS) 84, which controls an electricalgenerator. A conventional connection between EMS 82 and DCS 84 would useICCP through either a trusted, dedicated communications network orthrough a Virtual Private Network (VPN) traversing an untrusted network.The illustrated configuration allows both the EMS and the DCS tomaintain this conventional ICCP communication model. Secure ICCP proxies86 and 88 convert these conventional communications into a pair ofsecure command channels in a manner that is transparent to the EMS andDCS. Proxies 86 and 88 transmit information through untrusted network30, such as the public Internet, without risk of an attack from thenetwork compromising either the EMS or DCS, or of an attack from acompromised EMS or DCS propagating through the ICCP connection tocompromise the peer DCS or EMS.

In the embodiment of FIG. 5, each secure ICCP proxy 86, 88 is both asource and a destination of a secure command channel. In secure ICCPproxy 86, for example, an ICCP proxy processor 90 receives commands sentby EMS 82, and converts them into the secure sort of name:value syntaxdescribed above. A source encoder 92 encodes the converted commands,typically using hardware-implemented encoding logic as described above,and a communications processor 94 thus sends the commands securely overnetwork 30 to the communications processor of proxy 88. A destinationdecoder 96 in proxy 88 decodes the commands, typically usinghardware-implemented decoding logic, and ICCP proxy processor 90 inproxy 88 converts them back into the standard ICCP format for deliveryto DCS 84, as though the EMS had communicated them directly to the DCS.

In similar fashion, secure ICCP proxy 88 receives ICCP data reports fromDCS 84 and converts and encodes the reports for transmission to proxy86. Proxy 86 decodes and converts the data back into ICCP format andpasses the data to EMS 82, as though the DCS had communicated thereports directly to the EMS using ICCP.

The configuration shown in FIG. 5 can similarly be adapted for use inother communication scenarios and with other protocols. For example,this same sort of configuration can protect EMS-to-substationcommunications using the DNP3 Distributed Network Protocol, bysubstituting DNP3 for ICCP in the above description and substituting asubstation remote terminal unit (RTU) for the DCS. Other applicationswill be apparent to those skilled in the art and are considered to bewithin the scope of the present invention.

It thus will be appreciated that the embodiments described above arecited by way of example, and that the present invention is not limitedto what has been particularly shown and described hereinabove. Rather,the scope of the present invention includes both combinations andsubcombinations of the various features described hereinabove, as wellas variations and modifications thereof which would occur to personsskilled in the art upon reading the foregoing description and which arenot disclosed in the prior art.

The invention claimed is:
 1. Apparatus for transmission of commands,comprising: a processor running software which generates commands in afirst predetermined command format, responsive to input from a user;hardware encoding logic configured to receive commands in the firstpredetermined command format from the software running on the processor,to convert the received commands into a second predefined converted dataformat of permitted commands including only a limited subset of thecommands in the first predetermined command format and tocryptographically sign the converted commands in the second predefinedconverted data format into a third cryptographically signed format; anda communications processor configured to transmit the cryptographicallysigned converted commands in the third cryptographically signed formatover a communications network, wherein the hardware encoding logiccomprises dedicated hardware logic not containing a CPU and is designedsuch that its task of converting the received commands from the firstformat into the second predefined converted data format cannot bechanged remotely, wherein some commands legally composed in the firstpredetermined command format are not included in the limited subset ofthe second predefined converted data format.
 2. The apparatus accordingto claim 1, wherein the permitted commands of the second predefinedconverted data format are defined by stating for each permitted commanda name of the permitted command and defining permitted and non-permittedvalues associated with the name.
 3. The apparatus according to claim 1,wherein the permitted commands in the second data format are for controlof a protected destination.
 4. The apparatus according to claim 3,wherein the protected destination is an industrial control system, andwherein the permitted commands in the second data format are configuredto control an operating configuration of the industrial control system.5. The apparatus according to claim 3, wherein the protected destinationis a utility control station, and wherein the permitted commands areconfigured to be converted into an inter-control center communicationsprotocol for input to the utility control station.
 6. The apparatusaccording to claim 5, wherein the processor is configured to generatethe commands in accordance with the inter-control center communicationsprotocol.
 7. The apparatus according to claim 1, wherein the hardwareencoding logic is configured to encrypt the commands it receives.
 8. Theapparatus according to claim 1, wherein the hardware encoding logic iscontained in a user authentication unit, which is configured toauthenticate an identity of a user of the apparatus before convertingthe commands into the predefined converted data format.
 9. The apparatusaccording to claim 1, wherein the hardware encoding logic compriseshardware logic not driven by software.
 10. A method for communication,comprising: receiving an instruction to generate a command directed to aprotected destination, from a user, by a transmission station;generating a command in a first predetermined command format including aset of allowed commands, responsive to the instruction from the user, bysoftware running on a processor; converting the generated command into asecond predefined converted data format of permitted commands includingonly a limited subset of the allowed commands in the first predeterminedcommand format, by hardware encoding logic containing no CPU, designedin dedicated hardware logic which cannot be changed remotely, to performthe converting of the generated commands into the second predefinedconverted data format; cryptographically signing the converted commandin the second predefined converted data format into a thirdcryptographically signed format; and transmitting the cryptographicallysigned converted command in the third cryptographically signed formatover a communications network to an uplink controller, wherein somecommands legally composed in the first predetermined command format arenot included in the limited subset of the second predefined converteddata format.
 11. The method according to claim 10, wherein convertingthe generated command from the first format into the second formatcomprises encrypting the command.
 12. The method according to claim 10,wherein the permitted commands are configured to control an operatingconfiguration of an industrial control system.
 13. The method accordingto claim 10, wherein the permitted commands are configured to control autility control station.
 14. The method according to claim 13, whereinreceiving the instruction to generate a command comprises receiving aninstruction to generate a command in accordance with inter-controlcenter communications protocol (ICCP).
 15. The method according to claim10, wherein the permitted commands of the second predefined converteddata format are defined by stating a name of the command and definingpermitted and non-permitted values associated with the name.
 16. Themethod according to claim 10, wherein the hardware encoding logiccomprises hardware logic not driven by software.
 17. The apparatusaccording to claim 1, wherein the processor and the hardware encodinglogic are included together in a transmission station.